There are four critical security vulnerabilities in Ninja Forms, a popular WordPress plugin active on more than 1 million websites. Which both make it possible for a remote attacker to take over a WordPress site and cause a number of problems.
Ninja Forms offers WordPress site designers the ability to create forms using drag-and-drop capabilities.
The four bugs allow for a variety of malicious activities to be carried out by lower-privileged users (even those who have merely registered for a site). This entails eavesdropping on email on the web, taking over admin accounts, installing arbitrary add-ons on a target site, and redirecting site owners to malicious destinations.
To be effective, three of the bugs require social engineering.
Bug 1: Authenticated Email Hijacking and Account Takeover with SendWP Plugin
The first flaw allows attackers with or above subscriber-level access to abuse SendWP to intercept all mail traffic. Including administrative account password reset links, researchers said. SendWP is an email distribution and logging service design to ease the handling of mail through WordPress.
Attackers with or above subscriber access to a compromised WordPress site may be able to link SendWP to their own SendWP account. So that all mail from the WordPress site will be redirected and logged into the SendWP account of the attackers.
If exploited, according to Wordfence, this could potentially lead to remote code execution. And site takeover by using an admin account to change theme/plugin files or upload a malicious theme/plugin. Which said the vulnerability also carries an average CVSS rating of 9.9 out of 10. (CVEs are pending for all bugs).
“At that point they can monitor all data emailed which could range from user personally identifiable information (PII) from form submissions to reports generated on your site,” researchers warned. “Further, an attacker could trigger a password reset for an administrative user account. If they could discover the username for an account.”
According to Wordfence Review
According to the review, published on Tuesday, achieving this is not that hard.
“In order to provide this functionality, the plugin registers the AJAX action wp_ajax_ninja_forms_sendwp_remote_install,” researchers explained. “This AJAX action is tied to the function wp_ajax_ninja_forms_sendwp_remote_install_handler, that checks to see if the SendWP plugin is installed and activated. If the plugin is not currently installed, then it performs the installation and activation of the SendWP plugin.”
After the plugin has been successfully installed, the feature, along with the client_name, client_secret, register_url and client_url, will return the registration url. This is used to display the sign-up page to users and easily connect their instance of WordPress with SendWP.
“Unfortunately, this AJAX action did not have a capability check on it, nor did it have any nonce protection. Therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin. And retrieve the client_secret key needed to establish the SendWP connection,” according to the analysis.
Researchers note that a possible mitigation for widespread, automated abuse is the fact. That SendWP is a paid add-on, costing $9 per month per domain.
Bug 2: Authenticated OAuth Connection Key Disclosure
The second bug carries an average CVSS score of 7.7. And included in the Add-on Manager service of Ninja Forms, a centralised dashboard that allows users to remotely control all add-ons purchased from Ninja Forms.
According to Wordfence, attackers may build an OAuth link with their own account for a compromised WordPress website. And be able to install any purchased Add-On plugins on the target site they want.
In order to complete the malicious connection, in order to change the client id parameter in the site database with an altered AJAX operation, attackers will need to trick the site administrator into clicking a special link.
“The plugin registers the AJAX action wp_ajax_nf_oauth which used to retrieve the connection_url. That contains the information necessary, like the client_secret, to establish an OAuth connection with the Ninja Forms Add-On Management portal.” According to the analysis. “Unfortunately, there was no capability check on this function.”
This means that low-level users, such as subscribers, have been able to trigger the action. And retrieve the URL of the link necessary to create a dashboard connection. Researchers said that attackers could also retrieve the client ID for an already defined OAuth link.
Bug 3: Cross-Site Request Forgery to OAuth Service Disconnection
The third bug resides in the ability to quickly sever an existing OAuth link. With only a few clicks in the Ninja Forms Add-Ons Manager. This bug has a CVSS rating of 6.1, making it medium-gravity.
Wordfence noted that this “could be a puzzling experience for a site owner.” To do so, they will need to design a valid request, host it externally. And trick an administrator into clicking a link or attachment. Attackers may send a request to disconnect the current OAuth connection.
“In order to provide this functionality, the plugin registered an AJAX action wp_ajax_nf_oauth_disconnect tied to the function disconnect(). The disconnect() function would simply disconnect an established connection by deleting the options associated. With the connection settings in the database,” according to Wordfence. “Unfortunately, this feature did not have nonce protection.”
Bug 4: Administrator Open Redirect
In the OAuth link phase, the final problem is present; with a CVSS score of 4.8, it called medium-severity.
An attacker will have to craft a special URL with the redirect parameter set to an arbitrary site to take advantage of this. And then socially engineer an administrator to click the link. The administrator could redirected to an external malicious site if successful. Which could infect the computer of the administrator with malware.
“The plugin registers an AJAX action, wp_ajax_nf_oauth_connect, that registered to the function connect(). Which used to redirect a site owner back to the WordPress site’s Ninja Forms service page. After the user has finished the OAuth connection process,” according to the analysis. “This function uses wp_safe_redirect to redirect site owners back to the admin.php?page=ninja-forms#services page by default.”
The problem, however, is that it is possible to swap the ‘redirect’ parameter with different values to redirect the site administrator. To an arbitrary URL given by that parameter instead.
“There is no protection on the redirection URL validating where the redirect goes. Nor was there any protection to prevent an attacker from using the function to redirect a site administrator to a malicious location,” researchers explained. “There was the use of wp_verify_nonce(), however, it commented out and rendered unusable.”
The parent company of the plugin, Saturday Drive, has patched all the bugs fixed in version 220.127.116.11.
WordPress Plugin Security Problems
WordPress plugins appear to present significant limitations. In January, in a WordPress plugin called Orbit Fox, researchers warned of two vulnerabilities (one critical) that could allow attackers to insert malicious code into compromised websites and/or take control of a website.
Also in January, a fix for a serious bug was patched by developers of a plugin called Popup Builder-Responsive WordPress Pop up-Subscription & Newsletter, used by WordPress websites to build pop-up advertising for newsletter subscriptions. Attackers may exploit the vulnerability to send out newsletters. With custom content, or to delete or import subscribers to the newsletter.
You may also like: